Principals obligated to protect student data
School principals and school trustees have an obligation to protect student data, mandated under New Zealand's privacy legislation, a fact school management systems provider MUSAC is trying to promote.
Greg Twemlow, MUSAC chief executive, says that some primary and secondary schools are still using installed servers, as opposed to cloud solutions, to run their SMS (school management systems) and other applications, and these are vulnerable to hacking, from inside the school network system and from external hackers.
"Hacking by cyber criminals and tech-savvy school students is now common overseas and recently a data hack of an Auckland school by a Danish hacker made the news," Twemlow says.
"I don't think New Zealand is different to any other advanced society where hacking attacks on school networks are now frequently reported," he says. "Even more concerning is that it's generally believed that less than 20% of hacking attacks are made public, meaning the true extent of the problem is far greater than what we read about.
Twemlow says students and visitors to school premises connect smart phones, laptops and other devices to school Wi-Fi networks, which puts them inside the school's network defences. From there it is easier for technology-savvy users to explore the data resources in a school network that includes servers – including 'hacking' into the school servers to tamper with data, such as changing test scores or accessing the personal details of other students as well as caregivers.
"When schools choose to operate servers inside their networks they rarely consider the data security implications," Twemlow explains. "If a school does operate application file servers, then they must also operate robust firewalls and employ switched on IT providers to maintain high levels of network and data security," he says.
A further important issue when schools use severs is that many teachers also work remotely from home on VPNs (Virtual Private Networks), and invariably VPN account passwords can be readily hacked, Twemlow advises.
"If even one of the many software applications hosted on the school's server network is not updated, it can create a vulnerability pathway that hackers find easy to exploit," he says.
"My advice is don't wait to be hacked before you take steps to ensure you've done all you can to protect the personal data of your students," says Twemlow. "Everyone involved in supplying, managing and accessing student data has to be mindful that safeguarding student data is paramount.
Twemlow says school principals need to be extra vigilant if they run an SMS that is installed on file servers at their school.
"As a school principal you have responsibility under New Zealand Privacy legislation to do everything in your power to the protect the personal data that you store on your servers," he explains.
Twemlow says that MUSAC began the move from a server-based SMS application to a cloud solution more than fours years ago.
"We believe that best-practice in data protection means that all schools will migrate to the cloud sooner than later, which is why MUSAC offers its products, SMS and Library Management, as-software-as-a-service (SaaS) from the cloud," he says.
"Cloud applications have a single security control point to protect. MUSAC, for example, is hosted in New Zealand (in the Massey University Cloud infrastructure in Palmerston North), which means one security update and one state-of-the-art firewall protecting all our customers," says Twemlow.
"Securely integrated cloud solutions have the necessary resources and data protection, and the 'network' is not exposed to multiple on site devices operating inside a school's firewall.
"Schools using an SMS running on servers installed in the school are relying on their network vendor, their server vendor and ultimately their staff to take on the responsibility for data security," he continues.
"This model is far more vulnerable to a data security breach, which if it leads to publication of personal data is in effect a breach of New Zealand's Privacy laws," adds Twemlow.
Twemlow says he recommends that school trustees give serious consideration to their exposure to data security vulnerabilities, including over the summer holidays when there is negligible or perhaps no monitoring of school data networks.
"If the school isn't already actively planning to run all their applications from the cloud in 2016, then it needs to be high on the agenda of the first trustees meeting in 2016.